Security Identifiers in XML

Security Identifiers in XML

Exchange Server 2003

Security Identifiers in XML

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

A security identifier (SID) is used in a security descriptor to identify trustees. In Exchange store XML format, security identifiers are represented with the XML elements listed in the following table. All elements and attributes reside in the Namespace.

Element name Possible child elements or contents
sid string_sid? nt4_compatible_sid? type? ad_object_guid? display_name?
string_sid Microsoft® Windows® SID in string format; for example, "S-1-1-0".
nt4_compatible_sid Microsoft Windows NT® Security Account Manager (SAM)-compatible name, for example, "Domain\User".
type One of the following strings: "user", "group", "domain", "alias", "well_known_group", "deleted_account", "invalid", "unknown", "computer"
ad_object_guid A globally unique identifier (GUID) in standard string format. This GUID corresponds to the objectGUID attribute for the Microsoft Active Directory® object identified by this SID.
display_name A display name for the specified trustee; for example, Administrator. This display name is derived from the Microsoft Windows® server operating systems Active Directory object for this trustee.

The following is an example of a SID in XML format:


Security identifiers (SIDs) in this format appear in the descriptor's discretionary access control list (DACL) and system audit control list, and are used to define the item's owner and primary group.

When a security descriptor is retrieved for an item, all available elements contained in a SID element are present. However, when you set a security descriptor, you should specify only one of the elements in the SID structure. The most efficient element to use when identifying a trustee is the <string_sid> element. If you don't know the trustee's SID before you update the descriptor, you can specify (in order of decreasing lookup efficiency) the <nt4_compatible_name> element, the <ad_object_guid> element, or the <display_name> element. From one of these three elements, the Exchange store determines the trustee's SID by searching Active Directory or a local SAM account database. Using the <display_name> element can cause ambiguity when searching for the user object and should be avoided whenever possible. If multiple entries are present in the SID element, the most efficient element (as previously mentioned) is used.

© 2016 Microsoft